colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

landlock-sandboxer: init

Browse Source
This commit is contained in:
Colin
2024-01-26 16:52:33 +00:00
parent 64878bee67
commit e21dbd507d
2 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
pkgs/additional/landlock-sandboxer/default.nix Normal file
View File

@@ -0,0 +1,35 @@
# N.B.: landlock is a relatively new thing as of 2024/01;
# `pkgs.linux` is kinda old.
# may want to use `linux_latest`, here and everywhere, if you find landlock to be lacking.
{ stdenv
, linux
}:
stdenv.mkDerivation rec {
pname = "landlock-sandboxer";
version = linux.version;
src = linux.src;
sourceRoot = "linux-${version}/samples/landlock";
makeFlags = [ "sandboxer" ];
installPhase = ''
mkdir -p $out/bin
install -m755 sandboxer $out/bin
'';
meta = {
description = ''
The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
'';
homepage = "https://landlock.io";
};
}
# alternatively, build more in line with kernel's build system.
# takes longer, but may inherit hardening settings and the like.
# linux.overrideAttrs (_: {
# buildFlags = [ "-C" "../samples/landlock" "sandboxer" ];
# installPhase = ''
# mkdir -p $out/bin
# install -m755 ../samples/landlock/sandboxer $out/bin
# '';
# })

1
pkgs/default.nix
View File

@@ -40,6 +40,7 @@ let
gpodder-configured = callPackage ./additional/gpodder-configured { }; gpodder-configured = callPackage ./additional/gpodder-configured { };
jellyfin-media-player-qt6 = callPackage ./additional/jellyfin-media-player-qt6 { }; jellyfin-media-player-qt6 = callPackage ./additional/jellyfin-media-player-qt6 { };
koreader-from-src = callPackage ./additional/koreader-from-src { }; koreader-from-src = callPackage ./additional/koreader-from-src { };
landlock-sandboxer = callPackage ./additional/landlock-sandboxer { };
ldd-aarch64 = callPackage ./additional/ldd-aarch64 { }; ldd-aarch64 = callPackage ./additional/ldd-aarch64 { };
lemoa = callPackage ./additional/lemoa { }; lemoa = callPackage ./additional/lemoa { };
lightdm-mobile-greeter = callPackage ./additional/lightdm-mobile-greeter { }; lightdm-mobile-greeter = callPackage ./additional/lightdm-mobile-greeter { };